We build with support for selinux/apparmor where applicable but
disable them at runtime as even in permissive mode they're horribly
broken.
# Lower the default device timeout so we get a shell earlier if the root device does
# not appear for some reason.
systemd.default_device_timeout_sec=10
+ # Make sure no LSMs are enabled by default.
+ apparmor=0
+ selinux=0
+ enforcing=0
-D analyze=true
-D bpf-framework=true
-D ukify=true
+ -D seccomp=true
+ -D selinux=auto
+ -D apparmor=auto
+ -D smack=true
+ -D ima=true
+ -D first-boot-full-preset=true
+ -D initrd=true
+ -D fexecve=true
)
# On debian-like systems the library directory is not /usr/lib64 but /usr/lib/<arch-triplet>/.
[Content]
Packages=
dmsetup
+ libapparmor1
libfdisk1
libfido2-1
libglib2.0-0
dpkg-dev
g++
libacl1-dev
+ libapparmor-dev
libaudit-dev
libblkid-dev
libbpf-dev
projects / thirdparty / systemd.git / commitdiff
